Apparently, what I need is a tool that can find all the places in the HTTP request where inputs are possible (including data after URL hash), and then try to input all of the possible entries from some dictionary that represent XSS injections to see if application is protected against them. Of course, a human judgement may be required to figure out whether injection was successful or not (a screenshot of a page with an HTTP response rendered in a browser will be handy)

3 Answers
3

I've used a couple of solutions for this in the past. Both Acunetix and IBM Rational AppScan will test for Reflected, Stored, and DOM based Cross Site Scripting. Both applications will provide you all relevant information including request, response, potential impact, etc. AppScan will actually provide a screen shot from what I can remember. Both will also let you manually re-execute the request manually to see it for yourself or modify it slightly. I've used Acunetix extensively, and still happy with it for most applications. It's also the most affordable out of the above 2.

I don't have any experience with it, but I think that Burp Suite may also do what you need.

Prevention is the best defense. The best first line of defense is to integrate security into your software development lifecycle. Train your developers about how to prevent XSS. Train them to use input validation on inputs, and appropriate output escaping on all values dynamically inserted into a HTML document.

Remember, you can't test quality in after-the-fact. Developers need to own the problem of avoiding XSS. No one is perfect, so it can be helpful to perform some sort of quality assurance, to check for oversights and inadvertent bugs -- but do not accept an attitude that preventing XSS is primarily the responsibility of the testing team. It is not.

Black-box web vulnerability scanning tools.
Black-box web vulnerability scanning tools check for common vulnerabilities, like XSS, by spidering your website and sending carefully-crafted malicious inputs to your web application, to see how it handles those inputs. These tools can be used to find XSS vulnerabilities. (They are also sometimes called black-box web pentesting (penetration testing) tools.)

There are many offerings in this space, both commercial and open-source. There is a broad spectrum of approaches, from purely manual penetration testing (performed by pentesting experts), to entirely automated point-and-shoot vulnerability scanning tools, to hybrid services that include a combination of the two. For manual penetration testing, you can buy services from companies who specialize in this. You can also find services who will periodically perform a combination of automated and manual penetration testing and alert you of any new vulnerabilities (e.g., WhiteHat Security). Finally, black-box vulnerability scanners are typically intended to be used in an automated fashion -- though be warned, they output a list of warnings, and someone will need to review those warnings manually, as some of those warnings will be false alarms.

Effectiveness.
It is important to keep in mind that automated black-box vulnerability scanning tools find only a fraction of vulnerabilities. One recent research study found that automated black-box vulnerability scanning found only ~ 40% of the vulnerabilities in the application. Manual code review by a knowledgeable security expert found many vulnerabilities that black-box vulnerability scanning missed. Therefore, if you can afford to perform both black-box vulnerability scanning and manual code review, this will be more effective at detecting vulnerabilities in your web application.

Readings.
Here are two research papers that summarize the state of the art in this area:

Compares the effectiveness of 3 commercial black-box web vulnerability scanners. Be warned that the methodology is not perfect and has been subject to some criticism. This report is largely superseded by the following one.

Contains a variety of statistics on web vulnerability scanning and other methods of detecting vulnerability. One statistic: "The probability to detect a urgent or critical error in dynamic web application is about 49% by automatic scanning and 96% by comprehensive expert analysis".

This is not a recommendation and does not add anything to the existing answers. You need to provide more information for your answer to add anything to the existing information for this question.
–
Kate PaulkMay 30 '14 at 13:32